CVE-2021-25078

Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting

EPSS 2.3%CWE-79

Vexday Risk Score

18Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS —EPSS 2.3%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

24 ene 2022Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.

Productos afectados

Unknown · Affiliates Manager

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/changeset/2648196 https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e